EfiGuard Versions Save

EfiGuardDxe

• Compatibility fixes to support future versions of Windows. This affects Windows Insider builds 25941 and up. (#103)
• EfiGuardDxe now correctly clears and restores CR4.CET along with CR0.WP if needed. As a result of this, EfiGuard can now also disable write protection during copies from its runtime SetVariable hook, which it previously did not do due to the potential for conflicts with CET.
• Restored compatibility with EasyAntiCheat (EAC) (but see below). This fixes a regression introduced in v1.1.
  • Note: This fix requires Windows 11 or Server 2022 in order to work for reasons related to PatchGuard internals. Older versions will see no benefit. This is unlikely to ever change.
  • Note: Compatibility with anti-cheat software is not necessarily a goal of EfiGuard. This change fixes a regression that was affecting legitimate users. Issues complaining that EfiGuard isn't letting you cheat in video games will still be closed WONTFIX.

Loader

• Interactive driver configuration through the loader has been changed from a compile time to a runtime switch. If you were using Loader.config.efi, you can now access this functionality by pressing the <HOME> key when prompted.
• Fixed chainloading issue when using a third party boot manager such as Ventoy to boot Windows. (#91)

EfiDSEFix

• EfiDSEFix will now acquire SE_DEBUG_PRIVILEGE before attempting to query kernel modules. (#97) This is another compatibility fix for Windows Insider that will likely be required in future versions of Windows.
• Fixed invisible/hidden console output when running from a non-elevated prompt with UAC enabled. (#75)

EfiGuardDxe

• Updated Zydis to v4.
• EfiGuardDxe will now disable VBS during boot. This fixes a bugcheck in Windows 11 22H2, which enables VBS by default. The override does not persist and lasts until the next reboot, so disabling (or not booting into) EfiGuard is sufficient to restore VBS. Hyper-V and other Windows hypervisor features are not affected by this change and will continue to work.
• Updated all memory write accesses (hooks, patches) to clear and restore CR0.WP if needed. This is in anticipation of the new EFI_MEMORY_ATTRIBUTE_PROTOCOL introduced in UEFI 2.10.

Loader

• Improved robustness of the logic that determines whether a boot option is Windows. The loader will now take any boot option named "Windows Boot Manager" into consideration regardless of its filename. The previous filename-based detection is still in place and will be used as a fallback.

EfiDSEFix

• EfiDSEFix -i now prints currently enabled code integrity and VBS options and flags.
• Added -r command to read the current value of g_CiOptions without writing to it.
• EfiDSEFix -d and EfiDSEFix -c now verify that VBS is disabled before proceeding. Note that VBS being enabled most likely indicates that EfiGuardDxe was simply never loaded, so this is mostly a precaution.

• Fixed regression in EfiDSEFix on older versions of Windows 10.

There were no changes to EfiGuardDxe or the loader in this update.

• Fixed a critical issue where running EfiDSEFix -d on Windows 10 systems with KB5003173 (May 2021 update) applied would cause a BSOD.

There were no changes to EfiGuardDxe or the loader in this update.

• Greatly increased the robustness of backtracking to function start addresses needed for patching, compared to the previous heuristic. This was not causing any issues with current versions of Windows, but this change may be needed in order for EfiGuard to support future versions.

• Fixed issue where PatchGuard bugchecks could sometimes still occur on Windows 10.
• Fixed blue screen at boot when Riot Vanguard is installed.
• The loader now writes EFI memory type information in an attempt to work better with ACPI S4 (hibernate).

• Fixed unhelpful error when a legacy (BIOS) boot entry is being booted. This now works properly. Note: this change does not add support for legacy boot entries to EfiGuard, it only changes the loader's behaviour in the fallback path.
• Upated SeCodeIntegrityQueryInformation signature for Windows 10 20H1 preview.

• Fixed potential recursive self-boot by Loader.efi.
• Fixed EfiGuardDxe not calling its own unload routine when a non-Windows OS was being booted.

• Fixed EfiDSEFix -e not re-enabling DSE on Windows 8 and higher unless the value was manually specified.

First public release